private static void checkRequiredPrivileges( RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject, IMetaStoreClient metastoreClient, String userName, List<String> curRoles, boolean isAdmin, HiveOperationType opType) throws HiveAuthzPluginException, HiveAccessControlException { // keep track of the principals on which privileges have been checked for // this object // get privileges for this user and its roles on this object RequiredPrivileges availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore( metastoreClient, userName, hivePrivObject, curRoles, isAdmin); // check if required privileges is subset of available privileges List<String> deniedMessages = new ArrayList<String>(); Collection<SQLPrivTypeGrant> missingPrivs = reqPrivileges.findMissingPrivs(availPrivs); SQLAuthorizationUtils.addMissingPrivMsg(missingPrivs, hivePrivObject, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), opType, deniedMessages); }
private static RequiredPrivileges getRequiredPrivsFromThrift(PrincipalPrivilegeSet thrifPrivs) throws HiveAuthzPluginException { RequiredPrivileges reqPrivs = new RequiredPrivileges(); // add user privileges Map<String, List<PrivilegeGrantInfo>> userPrivs = thrifPrivs.getUserPrivileges(); if (userPrivs != null && userPrivs.size() != 1) { throw new HiveAuthzPluginException("Invalid number of user privilege objects: " + userPrivs.size()); } addRequiredPrivs(reqPrivs, userPrivs); // add role privileges Map<String, List<PrivilegeGrantInfo>> rolePrivs = thrifPrivs.getRolePrivileges(); addRequiredPrivs(reqPrivs, rolePrivs); return reqPrivs; }
public SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, SQLStdHiveAccessControllerWrapper privilegeManager, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { this.metastoreClientFactory = metastoreClientFactory; this.conf = conf; this.authenticator = authenticator; this.privController = privilegeManager; this.ctx = SQLAuthorizationUtils.applyTestSettings(ctx, conf); }
objectRef, userName, null); } catch (MetaException e) { throwGetPrivErr(e, hivePrivObject, userName); } catch (TException e) { throwGetPrivErr(e, hivePrivObject, userName); } catch (HiveException e) { throwGetPrivErr(e, hivePrivObject, userName); filterPrivsByCurrentRoles(thrifPrivs, curRoles); RequiredPrivileges privs = getRequiredPrivsFromThrift(thrifPrivs); if (isOwner(metastoreClient, userName, curRoles, hivePrivObject)) { privs.addPrivilege(SQLPrivTypeGrant.OWNER_PRIV);
private List<HiveRoleGrant> getRolesFromMS() throws HiveAuthzPluginException { try { List<RolePrincipalGrant> roles = getRoleGrants(currentUserName, PrincipalType.USER); Map<String, HiveRoleGrant> name2Rolesmap = new HashMap<String, HiveRoleGrant>(); getAllRoleAncestors(name2Rolesmap, roles); List<HiveRoleGrant> currentRoles = new ArrayList<HiveRoleGrant>(roles.size()); for (HiveRoleGrant role : name2Rolesmap.values()) { if (!HiveMetaStore.ADMIN.equalsIgnoreCase(role.getRoleName())) { currentRoles.add(role); } else { this.adminRole = role; } } return currentRoles; } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Failed to retrieve roles for " + currentUserName, e); } }
case LOCAL_URI: case DFS_URI: availPrivs = SQLAuthorizationUtils.getPrivilegesFromFS(new Path(hiveObj.getObjectName()), conf, userName); break; availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore(metastoreClient, userName, hiveObj, privController.getCurrentRoleNames(), privController.isUserAdmin()); SQLAuthorizationUtils.addMissingPrivMsg(missingPriv, hiveObj, deniedMessages);
@Override public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } }
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException { HiveObjectRef privObj = getThriftHiveObjectRef(hivePrivObject); PrivilegeBag privBag = new PrivilegeBag(); for (HivePrivilege privilege : hivePrivileges) { + " is not supported in sql standard authorization mode"); PrivilegeGrantInfo grantInfo = getThriftPrivilegeGrantInfo(privilege, grantorPrincipal, grantOption, 0 /*real grant time added by metastore*/); for (HivePrincipal principal : hivePrincipals) {
SQLAuthorizationUtils.getThriftHiveObjectRef(privObj)); throw SQLAuthorizationUtils.getPluginException("Error showing privileges", e);
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { String userName = authenticator.getUserName(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<>(); checkPrivileges(hiveOpType, inputHObjs, userName, Operation2Privilege.IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, userName, Operation2Privilege.IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipal.HivePrincipalType.USER), hiveOpType, deniedMessages); }
private static void addPrivilegesFromFS( String userName, RequiredPrivileges availPrivs, FileSystem fs, FileStatus[] fileStatuses, boolean recurse) throws Exception { // We need to obtain an intersection of all the privileges if (fileStatuses.length > 0){ Set<SQLPrivTypeGrant> privs = getPrivilegesFromFS(userName, fs, fileStatuses[0], recurse); for (int i = 1; (i < fileStatuses.length) && (privs.size() > 0); i++){ privs.retainAll(getPrivilegesFromFS(userName, fs, fileStatuses[i], recurse)); } availPrivs.addAll(privs.toArray(new SQLPrivTypeGrant[privs.size()])); } }
msObjPrivs = mClient.list_privileges(principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType()), SQLAuthorizationUtils.getThriftHiveObjectRef(hivePrivObject)); } catch (MetaException e) { throw new HiveAuthzPluginException(e);
objectRef, userName, null); } catch (MetaException e) { throwGetPrivErr(e, hivePrivObject, userName); } catch (TException e) { throwGetPrivErr(e, hivePrivObject, userName); } catch (HiveException e) { throwGetPrivErr(e, hivePrivObject, userName); filterPrivsByCurrentRoles(thrifPrivs, curRoles); RequiredPrivileges privs = getRequiredPrivsFromThrift(thrifPrivs); if (isOwner(metastoreClient, userName, curRoles, hivePrivObject)) { privs.addPrivilege(SQLPrivTypeGrant.OWNER_PRIV);
private List<HiveRoleGrant> getRolesFromMS() throws HiveAuthzPluginException { try { List<RolePrincipalGrant> roles = getRoleGrants(currentUserName, PrincipalType.USER); Map<String, HiveRoleGrant> name2Rolesmap = new HashMap<String, HiveRoleGrant>(); getAllRoleAncestors(name2Rolesmap, roles); List<HiveRoleGrant> currentRoles = new ArrayList<HiveRoleGrant>(roles.size()); for (HiveRoleGrant role : name2Rolesmap.values()) { if (!HiveMetaStore.ADMIN.equalsIgnoreCase(role.getRoleName())) { currentRoles.add(role); } else { this.adminRole = role; } } return currentRoles; } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Failed to retrieve roles for " + currentUserName, e); } }
case LOCAL_URI: case DFS_URI: availPrivs = SQLAuthorizationUtils.getPrivilegesFromFS(new Path(hiveObj.getObjectName()), conf, userName); break; availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore(metastoreClient, userName, hiveObj, privController.getCurrentRoleNames(), privController.isUserAdmin()); SQLAuthorizationUtils.addMissingPrivMsg(missingPriv, hiveObj, deniedMessages);
@Override public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } }
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException { HiveObjectRef privObj = getThriftHiveObjectRef(hivePrivObject); PrivilegeBag privBag = new PrivilegeBag(); for (HivePrivilege privilege : hivePrivileges) { + " is not supported in sql standard authorization mode"); PrivilegeGrantInfo grantInfo = getThriftPrivilegeGrantInfo(privilege, grantorPrincipal, grantOption, 0 /*real grant time added by metastore*/); for (HivePrincipal principal : hivePrincipals) {
SQLAuthorizationUtils.getThriftHiveObjectRef(privObj)); throw SQLAuthorizationUtils.getPluginException("Error showing privileges", e);
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { String msg = "Checking privileges for operation " + hiveOpType + " by user " + authenticator.getUserName() + " on " + " input objects " + inputHObjs + " and output objects " + outputHObjs + ". Context Info: " + context; LOG.debug(msg); } String userName = authenticator.getUserName(); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<String>(); checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), hiveOpType, deniedMessages); }
private static void addPrivilegesFromFS( String userName, RequiredPrivileges availPrivs, FileSystem fs, FileStatus[] fileStatuses, boolean recurse) throws Exception { // We need to obtain an intersection of all the privileges if (fileStatuses.length > 0){ Set<SQLPrivTypeGrant> privs = getPrivilegesFromFS(userName, fs, fileStatuses[0], recurse); for (int i = 1; (i < fileStatuses.length) && (privs.size() > 0); i++){ privs.retainAll(getPrivilegesFromFS(userName, fs, fileStatuses[i], recurse)); } availPrivs.addAll(privs.toArray(new SQLPrivTypeGrant[privs.size()])); } }